LAN Manager hash

Archived from groups: microsoft.public.win2000.security (More info?)

Hi All,

I want to enable ""Do not store LAN Manager hash value on next password
change"
I read that I will need to change the password on all accounts after
enabling this setting.
Is the meaning is that all my users will get notification that they need to
change their passwords? or its only recommendation?

Thanks In Advanced!

Nir B
4 answers Last reply
More about manager hash
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    Hi,

    This is only recommendation. There will be no user notification after you
    enable the policy.

    If your password policy is set to e.g. users must change password after
    every 70 days, you know that after 70 days all user's password will be
    stored as NT Hash. Don't forget to change e.g. service account passwords
    (for e.g. backup). These accounts are usually set to "password never
    expires". Beside that, they usually have higher privileges on the network,
    so it is even more important to get rid if LM hashes.

    Mike

    "Nir B" <nir@icomverse.com> wrote in message
    news:OY58v912EHA.2192@TK2MSFTNGP14.phx.gbl...
    > Hi All,
    >
    > I want to enable ""Do not store LAN Manager hash value on next password
    > change"
    > I read that I will need to change the password on all accounts after
    > enabling this setting.
    > Is the meaning is that all my users will get notification that they need
    > to
    > change their passwords? or its only recommendation?
    >
    > Thanks In Advanced!
    >
    > Nir B
    >
    >
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    10X

    "Miha Pihler" <mihap-news@atlantis.si> wrote in message
    news:#8a8eB22EHA.3408@tk2msftngp13.phx.gbl...
    > Hi,
    >
    > This is only recommendation. There will be no user notification after you
    > enable the policy.
    >
    > If your password policy is set to e.g. users must change password after
    > every 70 days, you know that after 70 days all user's password will be
    > stored as NT Hash. Don't forget to change e.g. service account passwords
    > (for e.g. backup). These accounts are usually set to "password never
    > expires". Beside that, they usually have higher privileges on the network,
    > so it is even more important to get rid if LM hashes.
    >
    > Mike
    >
    > "Nir B" <nir@icomverse.com> wrote in message
    > news:OY58v912EHA.2192@TK2MSFTNGP14.phx.gbl...
    > > Hi All,
    > >
    > > I want to enable ""Do not store LAN Manager hash value on next password
    > > change"
    > > I read that I will need to change the password on all accounts after
    > > enabling this setting.
    > > Is the meaning is that all my users will get notification that they need
    > > to
    > > change their passwords? or its only recommendation?
    > >
    > > Thanks In Advanced!
    > >
    > > Nir B
    > >
    > >
    >
    >
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    You can consider configuring all the accounts to "require user to change
    password at next login." This can even be done with a script, using
    CUSRMGR.EXE [doesn't come with windows, is part of the Windows Resource Kit]
    or with a free ADSI .VBS script that can be found in google, if you are
    using Windows 2000 or 2003. I would avoid setting this value on service
    accounts, and this value can cause problems for users that typically log in
    using RAS or VPN or Internet or any other method besides the windows logon
    by pressing CTRL-ALT-DELETE while physically attached to your internal
    network.


    "Nir B" <nir@icomverse.com> wrote in message
    news:e%23qi9K22EHA.2196@TK2MSFTNGP14.phx.gbl...
    > 10X
    >
    > "Miha Pihler" <mihap-news@atlantis.si> wrote in message
    > news:#8a8eB22EHA.3408@tk2msftngp13.phx.gbl...
    > > Hi,
    > >
    > > This is only recommendation. There will be no user notification after
    you
    > > enable the policy.
    > >
    > > If your password policy is set to e.g. users must change password after
    > > every 70 days, you know that after 70 days all user's password will be
    > > stored as NT Hash. Don't forget to change e.g. service account passwords
    > > (for e.g. backup). These accounts are usually set to "password never
    > > expires". Beside that, they usually have higher privileges on the
    network,
    > > so it is even more important to get rid if LM hashes.
    > >
    > > Mike
    > >
    > > "Nir B" <nir@icomverse.com> wrote in message
    > > news:OY58v912EHA.2192@TK2MSFTNGP14.phx.gbl...
    > > > Hi All,
    > > >
    > > > I want to enable ""Do not store LAN Manager hash value on next
    password
    > > > change"
    > > > I read that I will need to change the password on all accounts after
    > > > enabling this setting.
    > > > Is the meaning is that all my users will get notification that they
    need
    > > > to
    > > > change their passwords? or its only recommendation?
    > > >
    > > > Thanks In Advanced!
    > > >
    > > > Nir B
    > > >
    > > >
    > >
    > >
    >
    >
  4. Archived from groups: microsoft.public.win2000.security (More info?)

    Just to add that you may want to force sensitive accounts such as
    administrators to change their passwords right away and let other users do
    at their next interval. Additionally you would want to consider enabling
    password complexity for the domain if you have not done such already and
    disabling storage of lm hash for your non dc servers to make it harder to
    crack local administrator accounts on those computers. --- Steve


    "Nir B" <nir@icomverse.com> wrote in message
    news:OY58v912EHA.2192@TK2MSFTNGP14.phx.gbl...
    > Hi All,
    >
    > I want to enable ""Do not store LAN Manager hash value on next password
    > change"
    > I read that I will need to change the password on all accounts after
    > enabling this setting.
    > Is the meaning is that all my users will get notification that they need
    > to
    > change their passwords? or its only recommendation?
    >
    > Thanks In Advanced!
    >
    > Nir B
    >
    >
Ask a new question

Read More

Security LAN Microsoft Windows